Lillestrøm Municipality
Insufficient technical and organisational measures to ensure information security
Dato for beslutning
2. februar 2022
Myndighed
Norwegian Supervisory Authority (Datatilsynet)
NO
Sektor
Public Sector and Education
Land
NO
Lovgivning
GDPRStatus
FINALBeskrivelse
The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality. The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well. It was only a journalist who later drew attention to the data breach. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data. Also, the fact that the incident was discovered not by the municipality, but by a third party, indicates inadequate routines in this area.